All the vulnerabilites related to Apache Software Foundation - Apache Xalan-J
cve-2022-34169
Vulnerability from cvelistv5
Published
2022-07-19 00:00
Modified
2024-08-03 08:16
Severity ?
EPSS score ?
Summary
Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache Xalan-J |
Version: Xalan-J < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T08:16:17.277Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8" }, { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw" }, { "name": "[oss-security] 20220719 CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/19/5" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/19/6" }, { "name": "[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/20/2" }, { "name": "[oss-security] 20220720 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/20/3" }, { "name": "DSA-5188", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5188" }, { "name": "DSA-5192", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5192" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20220729-0009/" }, { "name": "FEDORA-2022-19b6f21746", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/" }, { "name": "FEDORA-2022-ae563934f7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/" }, { "name": "FEDORA-2022-e573851f56", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/" }, { "name": "FEDORA-2022-d26586b419", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/" }, { "name": "FEDORA-2022-80afe2304a", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/" }, { "name": "FEDORA-2022-b76ab52e73", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/" }, { "tags": [ "x_transferred" ], "url": "http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html" }, { "name": "[oss-security] 20221017 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/10/18/2" }, { "name": "[debian-lts-announce] 20221018 [SECURITY] [DLA 3155-1] bcel security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html" }, { "name": "DSA-5256", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5256" }, { "name": "[oss-security] 20221104 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/11/04/8" }, { "name": "[oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/11/07/2" }, { "tags": [ "x_transferred" ], "url": "https://security.gentoo.org/glsa/202401-25" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Xalan-J", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "2.7.2", "status": "affected", "version": "Xalan-J", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Reported by Felix Wilhelm, Google Project Zero" } ], "descriptions": [ { "lang": "en", "value": "The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan." } ], "problemTypes": [ { "descriptions": [ { "description": "integer truncation", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-05-05T07:29:25.615Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8" }, { "url": "https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw" }, { "name": "[oss-security] 20220719 CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/19/5" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/19/6" }, { "name": "[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/20/2" }, { "name": "[oss-security] 20220720 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/20/3" }, { "name": "DSA-5188", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5188" }, { "name": "DSA-5192", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5192" }, { "url": "https://security.netapp.com/advisory/ntap-20220729-0009/" }, { "name": "FEDORA-2022-19b6f21746", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/" }, { "name": "FEDORA-2022-ae563934f7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/" }, { "name": "FEDORA-2022-e573851f56", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/" }, { "name": "FEDORA-2022-d26586b419", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/" }, { "name": "FEDORA-2022-80afe2304a", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/" }, { "name": "FEDORA-2022-b76ab52e73", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/" }, { "url": "http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html" }, { "name": "[oss-security] 20221017 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/10/18/2" }, { "name": "[debian-lts-announce] 20221018 [SECURITY] [DLA 3155-1] bcel security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html" }, { "name": "DSA-5256", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5256" }, { "name": "[oss-security] 20221104 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/11/04/8" }, { "name": "[oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/11/07/2" }, { "url": "https://security.gentoo.org/glsa/202401-25" }, { "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" } ], "source": { "discovery": "UNKNOWN" }, "title": "Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-34169", "datePublished": "2022-07-19T00:00:00", "dateReserved": "2022-06-21T00:00:00", "dateUpdated": "2024-08-03T08:16:17.277Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }